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(57) 



ABSTRACT 



A system protects against loss of communication during 
network attacks. In a first implementation, a system (120) 
models the behavior of normal users in a network in 
response to an application of a first packet filtering tech- 
nique. The system (120) receives a group of packets from a 
first user subsequent to the application of the first packet 
filtering technique and creates one or more models reflecting 
the behavior of the first user based on the received packets. 
In another implementation, a system (130) receives a stream 
of packets subsequent to a filtering technique being applied, 
/partitions the packets into groups, where each group corre- 
sponds to more than one packet, and classifies each group of 
packets as a normal group or an attack group using one or 
more models. Each model reflects a normal response to an 
application of the filtering technique. The system (130) 
forwards groups classified as normal groups, thus preventing 
network attacks from choking off all communication in the 
network. 

17 Claims, 7 Drawing Sheets 



/ FILTERING \ 
RULES 



APPLY FILTERING 



RECEIVE PACKET STRANDS ~ 



♦ 


630 


IDENTIFY PACKETS AND 
ASSOCIATE FEATURE(S) 






TJ. 



FORM TRAFFIC STRANDS 



650 



TRAIN STRESS MODELS BASED ON 
TRAFFIC STRANDS 



640 



STORE FEATURES AND 
ANNOTATIONS 



STORE STRESS MODELS 



( END )" 



US 7,307,999 Bl 

Page 2 



OTHER PUBLICATIONS 

Denning, Dorothy E. An Intrusion-Detection Model. IEEE Trans- 
actions on Software Engineering, pp. 1 18-131 (1987). 
Jha et al Markov Chains, Classifiers, and Intrusion Detection. 
Computer Security Foundations Workshop. Proceedings, 14th 
IEEE, pp. 206-219. (2001). 



Vigna et al. NetSTAT: A Network-based Intrusion Detection 
Approach. ACSAC(1998). 

Stallings, William. Crypotgraphy and Network Security: Principles 
and Practice. 2nd ed, Prentice Hall, pp. 478-501 (1998). 

* cited by examiner 



U.S. Patent 



Dec. 11, 2007 Sheet 1 of 7 



US 7,307,999 Bl 




CD 



ID 



E 2 
tu > 

1- LLI 

u. 



LL 



ID ID 

< > CO 
C£ ID T " 
I- Q 




U.S. Patent Dec. ll, 2007 Sheet 2 of 7 



US 7,307,999 Bl 







>- 




z: 


a . 
n 


CD 


< 


MEMi 


O 
CM 



CO CM 
ZD O 
00 CM 



< ► 







o 




CO 




CO 




LU 


O 


O 


CN 


O 




01 




D_ 





t 




CM 

CD 




iu a: 



CM 



U.S. Patent Dec. ll, 2007 Sheet 3 of 7 US 7,307,999 Bl 



SNOI1V10NNV 



CO 





LU 




o 


» 


& 




o 




h- f 




CO [ 




i r 




LU 




Q 




O 







r 



saNvyis 

13»0Vd 



LU 01 
CD LU ^ 

< 9 w 
a: Lu 
t- o 




CO 
6 



U.S. Patent Dec. ll, 2007 Sheet 4 of 7 US 7,307,999 Bl 



CO o 
CQ ^ 





f 



>- 








o 


O 




CO 


LU 




2 





LU LU 

O O o 

< > CO 

Ct LU x " 

h- Q 



DC 




O 




(f) 




CO 


O 


LU 


CM 


O 




o 








□l 





CD 

LL 



2 




O 




P m 
< O 






o 


z a: 


CD 


3 UJ 




2 t- 








o 




o 





U.S. Patent 



Dec. 11,2007 Sheet 5 of 7 



US 7,307,999 Bl 



LU 

o 

Q S 
iii £ 
O 
< 



o . 

CO 
CO 



en 

LU 



CO 
O 
l_L 



CO 



l/\IV3td±S 
13>10Vd 



oLU2 
UJ < H o 

s 2 <q 2 

O lL LU h- 




LU 
X 

o 

< 



UJ 
Q 

o 



m 


NOI 


► 






O , 
LU l- 


► 

► 




Q z 




ATTACK 

Ul 


— ► 





LU 

O 

> 
UJ 
Q 

a: 

LU 



ILO 
LL 



U.S. Patent Dec. 11,2007 



Sheet 6 of 7 



US 7,307,999 Bl 



O 

s 



f— 



o 
z 

LU 
h 



5 
< 




O 
CN 
CD 



CO 












co 








UJ 












< 




CL 




LU 




> 




LU 




O 




LU 









U.S. Patent Dec. ll, 2007 Sheet 7 of 7 



US 7,307,999 Bl 





d 

LL 



o 




h- 




a o 


ION 


< z 




EE§ 






CO CO 


i 


> < 
O 0L 
I 


DES" 


1 




< 





CL 

O 




